Major virtual private network (VPN) providers are removing their servers from India, in a bid to protest against the new directive which they say threatens the privacy of users, says a report. The new rules, according to the country's Computer Emergency Response Team (CERT), would apply to VPN companies from September 25 and they require the VPN firms to collect IP addresses, customer names and email addresses of customers.
The data collected by VPN users has to be retained for a minimum of five years and handed over to CERT-In on demand, as the agency aims to reduce the gaps in responding to cybersecurity incidents.
According to a report by The Wall Street Journal, the withdrawing VPN firms and internet-rights groups say by collecting such data, the companies will imperil their users’ privacy and curtail online speech. Digital groups say the government’s rules amount to overreach and are more typical of those imposed in China or Russia than in democracies.
Panama City-headquartered NordVPN which has already stopped operating its servers from India was quoted as saying by the report: "Such rules are “typically introduced by authoritarian governments in order to gain more control over their citizens."
What is NordVPN's Meshnet?
NordVPN which recently pulled its servers from India over the new logging and storage requirement under the government mandate also introduced Meshnet in June, which the company calls an encrypted private network solution.
Earlier speaking to ABP Live, NordVPN, a leading VPN service provider, had said that the new directive would hurt the VPN players operating in the country. Read more of the report here. In fact, NordVPN was intending to have a dialogue with the government for a "middle ground", but it had to pull its servers from India.
"We are strong proponents of the dialogue. The agenda of the Indian government is not exactly clear and we are still familiarising ourselves with the law, but from what it seems, the aim of the regulation is to improve the state of cybersecurity. If that is the case, the discussion on how the state and VPN companies can cooperate without compromising people’s privacy could be a good first step," Laura Tyrylyte, Head of Public Relations at Nord Security, had told ABP Live.
Major VPN companies that have withdrawn services in India
Some of the other VPN service providers that have stopped operating in India in recent months include US-based Private Internet Access and IPVanish, British Virgin Islands-based ExpressVPN, Canada-based TunnelBear and Lithuania-based Surfshark.
According to Surfshark, VPN suppliers leaving India aren’t good for the burgeoning IT sector. As per Surfshark’s data, since 2004, the year data breaches became widespread, 14.9 billion accounts have been leaked and a striking 254.9 million of them belong to users from India. To put in perspective, 18 out of every 100 Indians had their personal contact details breached.
What do new CERT-In rules for VPN firms say
Meanwhile, earlier in May, India's nodal agency CERT-In which deals with cyber security threats, hacking and phishing asked VPN service providers in the country to collect and store extensive user data for at least five years, citing objectives like fighting cybercrime and invoking the country's integrity and sovereignty.